From b8439789f4d8dbcad0493ee96b5700605ce49e3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Benkovsk=C3=BD?= Date: Tue, 23 Nov 2021 14:03:26 +0100 Subject: [PATCH] support plain HTTP for DoH (#4997) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ondřej Benkovský --- README.md | 9 ++++++++- core/dnsserver/server_https.go | 8 ++++---- plugin/tls/README.md | 10 +++++++++- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 96305aa39..2a5d57c48 100644 --- a/README.md +++ b/README.md @@ -201,8 +201,15 @@ https://example.org { tls mycert mykey } ~~~ +in this setup, the CoreDNS will be responsible for TLS termination -Note that you must have the *tls* plugin configured as DoH requires that to be setup. +you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind +of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server +~~~ corefile +https://example.org { + whoami +} +~~~ Specifying ports works in the same way: diff --git a/core/dnsserver/server_https.go b/core/dnsserver/server_https.go index 5962a5f09..b8bdbc66d 100644 --- a/core/dnsserver/server_https.go +++ b/core/dnsserver/server_https.go @@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) { // Should we error if some configs *don't* have TLS? tlsConfig = conf.TLSConfig } - if tlsConfig == nil { - return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin") - } + // http/2 is recommended when using DoH. We need to specify it in next protos // or the upgrade won't happen. - tlsConfig.NextProtos = []string{"h2", "http/1.1"} + if tlsConfig != nil { + tlsConfig.NextProtos = []string{"h2", "http/1.1"} + } // Use a custom request validation func or use the standard DoH path check. var validator func(*http.Request) bool diff --git a/plugin/tls/README.md b/plugin/tls/README.md index da33c0951..9d945b83e 100644 --- a/plugin/tls/README.md +++ b/plugin/tls/README.md @@ -2,7 +2,7 @@ ## Name -*tls* - allows you to configure the server certificates for the TLS and gRPC servers. +*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers. ## Description @@ -57,6 +57,14 @@ grpc://. { } ~~~ +Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries. +~~~ +https://. { + tls cert.pem key.pem ca.pem + forward . /etc/resolv.conf +} +~~~ + Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making debugging these transports harder than it should be.